From: Harry Wentland <harry.wentland@amd.com>
To: <amd-gfx@lists.freedesktop.org>, <sunpeng.li@amd.com>,
<alexander.deucher@amd.com>, <christian.koenig@amd.com>,
<rodrigo.siqueira@amd.com>, <patrik.r.jakobsson@gmail.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Subject: [PATCH 1/3] drm/amd/display: Don't allow partial copy_from_user
Date: Wed, 27 Oct 2021 10:26:33 -0400 [thread overview]
Message-ID: <20211027142635.9459-2-harry.wentland@amd.com> (raw)
In-Reply-To: <20211027142635.9459-1-harry.wentland@amd.com>
There is no reason to allow for partial buffers from
userspace in our debugfs. In this particular case
callers will zero out the wr_buf but if callers in
the future don't do that we might be looking at
corrupt data.
Linus puts it better than I can in
https://lkml.org/lkml/2021/10/26/993
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
---
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
index 1a68a674913c..b30307ccff12 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -78,12 +78,10 @@ static int parse_write_buffer_into_params(char *wr_buf, uint32_t wr_buf_size,
wr_buf_ptr = wr_buf;
- r = copy_from_user(wr_buf_ptr, buf, wr_buf_size);
-
- /* r is bytes not be copied */
- if (r >= wr_buf_size) {
- DRM_DEBUG_DRIVER("user data not be read\n");
- return -EINVAL;
+ /* r is bytes not be copied */
+ if (copy_from_user(wr_buf_ptr, buf, wr_buf_size)) {
+ DRM_DEBUG_DRIVER("user data could not be read successfully\n");
+ return -EFAULT;
}
/* check number of parameters. isspace could not differ space and \n */
--
2.33.0
next prev parent reply other threads:[~2021-10-27 14:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-27 14:26 [PATCH 0/3] Fix out of bounds writes in amdgpu_dm_debugfs Harry Wentland
2021-10-27 14:26 ` Harry Wentland [this message]
2021-11-03 14:49 ` [PATCH 1/3] drm/amd/display: Don't allow partial copy_from_user Rodrigo Siqueira Jordao
2021-10-27 14:26 ` [PATCH 2/3] drm/amdgpu: Fix even more out of bound writes from debugfs Harry Wentland
2021-10-27 14:26 ` [PATCH 3/3] drm/amd/display: Fix dp_max_bpc out of bounds write Harry Wentland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211027142635.9459-2-harry.wentland@amd.com \
--to=harry.wentland@amd.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=patrik.r.jakobsson@gmail.com \
--cc=rodrigo.siqueira@amd.com \
--cc=sunpeng.li@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.